Diablo6 virus rolls out its another malspam campaign

Diablo6 virus operates as the latest version of the notorious Locky ransomware[1]. It encodes data on victim’s computer using a combination of RSA-2048 and AES-128 cryptography ciphers and attaches .diablo6 file extension to every file. Once the procedure is finished, the data becomes unreadable. Finally, the malware creates a ransom note called diablo6.htm and replaces desktop’s background with a diablo6.bmp image. Note that this malicious crypto-ransomware is not related to Diablo game in any way even though the authors seem to be its fans.

The virtual threat arrives in the form of an .ZIP email attachment that contains a VBS downloader. It hen connects to one of the malicious domains, downloads and executes the Locky Diablo6 ransomware.

During the encryption, Locky virus renames each file by swapping its original name with a set of characters. The new file name is created using such pattern: [8 first characters of the victim's ID]-[next 4 characters of the ID]-next 4 characters of the ID]-[4 random characters]-[12 random characters].diablo6.

Once data encryption is complete, the virus immediately launches the ransom note using victim’s default browser. The ransom note starts with a straightforward explanation of what happened:

!!! IMPORTANT INFORMATION !!!! All of your files are encrypted with RSA-2048 and AES-128 ciphers.

The virus urges the victim to install Tor browser and visit a provided .onion website to access Locky Decryptor page. The price of Diablo6 decryption tool is 0.5 Bitcoin, which is approximately 1642 US dollars.

At the moment, there are no ways to decrypt files encrypted by this dangerous virus. Speaking of its sophistication, it is very similar to Cerber. Despite that, it doesn’t mean that you have to pay the ransom. Paying the ransom doesn’t guarantee efficient data recovery, either. The possibility of getting scammed is high, besides, obeying extortionists’ demands simply motivates them to create even more malware[2].

If your files were corrupted by the latest Locky ransomware variant, remove Diablo6 using Reimage or Malwarebytes Anti Malware. Your computer must be in a Safe Mode with Networking in order to complete the removal successfully.

After completing Diablo6 removal, use your data backup to restore damaged files. Many people do not have data backups, so if you are one of them, it might be impossible to restore your records. Try to think of ways where you could find intact data copies (USBs, CDs, email or elsewhere) and transfer them to your computer after deleting the virus. You can find alternative data recovery options below the article.

The ransomware now switches to .docm files

The Locky Diablo6 variant is distributed via malspam campaign that delivers emails with subject lines similar to E [date] (random numbers).docx. The malware-laden email contains an attachment that is named E [date] (random numbers).zip. The message body lacks any explanation and contains three words only:

—Files attached. Thanks

The ZIP file contains a VBS script that uses victim’s Internet connection to download malware from a compromised domain. The script may include several domains to connect to in case one of them won’t respond. The script is designed to download Diablo6 ransomware to %TEMP% folder and launch it immediately. Note that the dates of the report might be earlier. It only implies that Locky authors have diligently working on the new campaign.

The current analysis reveals that the threat now diverts to its old habit of fishing for users via .docm files. As its predecessor variation, which attempted to persuade unsuspecting users to open the infected .doc file and enable macros, Diablo6 functions the same. However, this case it employs .docm file as bait. This time, there is no message content except the subject line, the infected .docm is disguised within

This time, there is no message content except the subject line, the infected .docm is disguised within IMG_[4 digits].pdf.[3] If you enable the macros of the file, you will face the severe consequences of the malware.

The perpetrators indeed polish their malware distribution campaigns which now looks more sophisticated. However, despite how elaborate such emails may look, note that you should not give in to curiosity and not to open any attachments received from unknown recipients.

On the other hand, if your friend gets infected with a computer worm, he or she might send the corrupted link unwillingly. In that case, contact them directly. If you scan the file, note that malware authors apply various “cloaking” techniques to prevent the anti-virus from detecting the infection.

To protect yourself from Locky Diablo, follow the provided tips:

Never open email attachments that were sent to you by someone you don’t know. If the message looks vague or shady, never click on links or files attached to it;

Secure your computer system with anti-malware software. Keep it running at all times;

Dedicate some time to create a data backup. It is the only efficient tool that helps to restore crippled files after a ransomware attack;

Enable automatic software updates to always have the latest and most secure software versions on your PC.

According to experts, the first wave of ransomware hit Germany and US. If you are a German-speaking PC user, consider visiting DieViren.de for help[4].

Eliminate Locky Diablo6 virus

Your computer will be secure only if you remove Diablo6 virus professionally. Let us remind you that you are dealing with one of the most destructive ransomware-type programs which might be perceived inferior to another ransomware – Cerber.

It continuously changes its attack vectors and its own structure, so better assign Diablo6 removal for a professional anti-malware program developed by malware analysts. Do not forget that you must update the security program to the latest version of it in order to eliminate the ransomware fully. After deleting the virus, start testing available data decryption techniques.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Diablo6 ransomware virus you agree to our privacy policy and agreement of use.

Reimage is recommended to uninstall Diablo6 ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Diablo6 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

When a new window shows up, click Next and select your restore point that is prior the infiltration of Diablo6. After doing that, click Next.

Now click Yes to start system restore.

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Diablo6 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Diablo6 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

At the moment, it is impossible to recover files encrypted by Locky using any third-party tools. The only solution to the problem is a data backup. You can attempt to restore some files using the following data recovery methods.

If your files are encrypted by Diablo6, you can use several methods to restore them:

Follow a Shadow Explorer Setup Wizard and install this application on your computer;

Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;

Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Locky Decryptor

We do not recommend buying Locky Decryptor because it is a tool created by cybercriminals. It can contain spying tools, banking trojans or other forms of malware. Besides, it might fail to restore your files. Although an official decryption tool wasn't created by malware analysts yet, we do not recommend paying the ransom to cybercriminals.